CVE-2026-41526

NameCVE-2026-41526
DescriptionIn KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135178, 1135179

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kcoreaddons (PTS)bullseye5.78.0-4vulnerable
bookworm5.103.0-1vulnerable
forky, sid, trixie5.116.0-1vulnerable
kf6-kcoreaddons (PTS)trixie6.13.0-1vulnerable
forky, sid6.23.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kcoreaddonssource(unstable)(unfixed)1135179
kf6-kcoreaddonssource(unstable)(unfixed)1135178

Notes

https://kde.org/info/security/advisory-20260427-1.txt
Fixed by: https://invent.kde.org/frameworks/kcoreaddons/-/commit/447250fb061d6a866eeef9ae3c21b627244b198a (v6.25.0)
Search for package or bug name: Reporting problems